SCAN is the foundation of all invasions. The scan detection includes a host to determine if the host is active, which ports are using, which services are available, software version of the service, etc., the detection of these content is for " "" "" There are a lot of detection tools for the host, such as the famous NMAP, Netcat, Superscan, and China X-Scanner, etc.
ICMP protocol -Ping is the most common and the simplest detection means for judge whether or not the target is active. In fact, ping is an ICMP datagram to send a request (Type = 8) to the target. When the host gets the request, return a return (Type = 0) datagram. And the PING program is generally implemented directly in the system kernel, not a user process. Ping is the most basic detection means, ping Sweep is a wide range of pings for a network segment, thereby determining the network operation of this network segment, such as the famous FPING tool is ping.
But now the basic personal firewall has restricted PING, this is too basic. If you get the most ideal target map through the firewall, it is also a problem that many people think about the whole day. Some scanning technologies we introduced here is to bypass some security protection devices as much as possible and try to protect themselves while achieving the purpose we need.
First, advanced ICMP scanning technology
Ping is to take advantage of the ICMP protocol, advanced ICMP scanning technology is mainly the most basic use of ICMP protocol: an error. According to the network protocol, if an error occurs according to the protocol, the receiving end will generate an ICMP error message. These error messages are not actively sent, but due to errors, it is automatically generated according to the protocol.
When the IP datagram is incorrect, the target host will abandon this datagram. If it is Checksum error, the router will discard this data directly. Some hosts such as AIX, HP-UX, etc., are not to send ICMP unreachable datagrams.
We use these features: 1. Send a IP packet with only IP headers to the target host, and the target will return the Destination Unreachable ICMP error message. 2. Send a bad IP datagram to the target host, for example, the incorrect IP header length, the target host will return Parameter Problem ICMP error packets. 3, when the data package is divided, but there is no fragmentation that is sufficient to receive the receiving end, and the receiving end fragment assembly timeout will send a slice assembly timeout ICMP data report.
Send an IP datagram to the target host, but the protocol item is incorrect, such as the protocol item is not available, then the target will return the Destination Unreachable ICMP packet, but if it is a firewall or a firewall or one other filter device before the target host. It is possible to filter out the request, thereby receiving any response. A very large protocol number can be used as the protocol content of the IP header, and this protocol number is at least not used today, and the host will definitely return unreachable, if there is no unreachable ICMP datagram returns an error prompt, then explain Filtered by a firewall or other device, we can also use this approach to detect whether there is a firewall or other filtration device.
Use the IP protocol item to detect which protocols are using the host, we can change the protocol item of the IP header because it is 8-bit, 256 possibilities. By the ICMP error message returned by the target, it is used to determine which protocol is in use. If you return Destination Unreachable, the host does not use this protocol. On the contrary, if nothing returns, the host may use this protocol, but it may be filtered by the firewall. NMAP IP Protocol Scan is also using this principle. Using IP fractions, assembly timeout ICMP error messages can also be used to achieve our probe purposes. When the host receives a datagram of the lost fragment, the entire package will be discarded at a certain period of time, and the ICMP fragment assembly timeout error is sent to the original transmission end. We can use this feature to make a fragmentation packet, then wait for the ICMP assembly timeout error message. You can sharpen the UDP, or you can sharpen the TCP or even ICMP packets, as long as the target host gets a complete data package, of course, for this non-connected unreliable agreement of UDP, if we do not receive To the timeout error ICMP returns, it is also possible to lose due to lines or other issues.
We can use these features to get the ACL (Access List) of the firewall, even with these features to achieve the entire network topology. If we cannot get unreachable messages or slice assembly timeout error messages, we can make the following judgments: 1. The firewall filters the protocol type we send. 2. The firewall filters the Destination of our designated port 3, firewall blocking ICMP Destination Unreachable or protocol unreachable error message. 4. The firewall has the block of ICMP error packets for our designated host.
Second, advanced TCP scanning technology
The most basic use of TCP scans is using connect (), which is easy to implement. If the target host can connect, you will explain that a corresponding port is opened. However, this is also one of the most primitive and first rejected tools. In advanced TCP scanning techniques, the three handshake features of the TCP connection are mainly used in the three handshake features and the flag bits in the TCP data header, that is, the so-called semi-open scan. First meet the six flags of the TCP data header.
URG: (Urgent Pointer Field Significant) emergency pointer. When used, the value is 1, used to process the TCP data stream interrupt ACK: (Acknowledgment Field Significant) to indicate the confirmation number (Acknowledgment Number) is legal, indicating that the data segment does not include confirmation information, confirmation number be ignored. PSH: (push function), the data of the Push flag, the data segment requested at 1 can be sent directly to the application after the receiver is obtained, without having to transfer when the buffer is full. RST: (RESET THE CONNECTION) is used to reset the error connection that causes some reason, also used to reject illegal data and requests. If you receive an RST bit, some errors have occurred. SYN: (SYNCHRONIZE SEQUENCE NUMBERS) is used to establish a connection, in the connection request, SYN = 1, ACK = 0, when the connection response, SYN = 1, ACK = 1. That is, SYN and ACK distinguish CONNECTION Request and Connection Accepted. FIN: (No more data from sender) is used to release the connection, indicating that the sender has no data sent. The three handshake process of the TCP protocol connection is: First, the client (request party) sends SYN = 1, the TCP packet of SYN = 1, ACK = 0, indicates that the server is established. A connection; then if the server responds to this connection, returns a SYN = 1, and the data of the ACK = 1 is reported to the client, indicating that the server side agrees to this connection, and requires the client to confirm; the last client will send SYN = 0 , The data package of ACK = 1 gives the server, indicates that confirmation is established.
We use these flag bits and TCP protocols to connect three handshake features to scan detection.
SYN scanning this scanning method is also known as "semi-open" scan because the first step of the TCP protocol connection is used and has not established a complete TCP connection. The implementation method is to send a TCP datagram with only the SYN flag bit to a port of the remote host. If the host feeds back a syn || ACK packet, then this host is listening to the port, if the feedback is the RST packet, description, The host does not listen to this port. There is SYN selection on the X-Scanner.
ACK Scan Send a TCP Data that only ACK flags report to the host. If the host feeds back a TCP RST datagram, then this host exists. It is also possible to determine if the other firewall is a simple packet filtering or a state-based firewall.
FIN sends a TCP FIN data to a port to the remote host. If the host does not feedback, then this host is existing, and it is listening to this port; the host feeds back a TCP RST back, then the host exists, but there is no listening to this port.
NULL sends a TCP package without any flag. According to RFC793, if the corresponding port of the target host is closed, it should be sent back to an RST packet.
FIN URG PUSH sends a FIN, URG, and PUSH packets to the target host, depending on RFC793, if the corresponding port of the target host is turned off, then a RST flag should be returned. The above method can bypass some firewalls to get the host information behind the firewall, of course, is in the absence of deception. One of these methods is that it is more difficult to be recorded, and some means that even if it is simply displayed in the NetStat command, and the general security protection equipment is not logically recorded, which can better hide themselves.
